How do I check user input prior to processing it?

In addition to the supported native types of PHP the following values are allowed:

time: UTC (type integer, length 11)

ip: IP-address (type string, length 15)

mail: mail address (type string)

select: treated as "string"

text: treated as "string"

length

integer

0

Maximum length of data

escape

integer

0

see table

List of parameters for untaintInput

The parameter $escape can be any one of the following constants.

Identifier

Description

YANA_ESCAPE_NONE

No changes (Default)

YANA_ESCAPE_SLASHED

Converts single and double quotation marks to their respective escape sequences in C-notation

YANA_ESCAPE_TOKEN

replaces token by their HTML entities

YANA_ESCAPE_CODED

replaces HTML symbols, such as Tags, by entities

YANA_ESCAPE_LINEBREAK

converts all whitespace characters (particularly line breaks) into spaces

YANA_ESCAPE_USERTEXT

for treatment of input from text area fields

Valid values for parameter $escape, function untaintInput

For INPUT fields you should always call untaintInput() with the parameter YANA_ESCAPE_LINEBREAK. This will prevent an attacker from smuggling line breaks into the output, which might be a possible threat. For TEXTAREA fields you should use YANA_ESCAPE_USERTEXT. This prevents many forms of flooding, by constantly repeated texts (Copy'n'Paste Flooding), and will wrap oversized text strings, trim white space and thus will ensure, the layout of your page is not broken.